Characteristics of Hospital Data Breaches in the US Revealed in AJMC Study

A study published in the American Journal of Managed Care looked into the typical characteristics of hospital data breaches in the United States. It seeks to know the biggest problem areas, the kind of information most often at risk and the major causes of data breaches.

According to the study, hospitals account for about 30% of all healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights from 2009 to 2016. It is the most common breached type of healthcare provider. Of the 215 breaches reported, 185 were from nonfederal acute care hospitals and 30 had multiple breaches impacting 500 or more medical records. One hospital had 4 breaches in 7 years, 5 hospitals had 3 and 24 hospitals had two. These hospital breaches also resulted to the most number of stolen health records.

The first most common problem area of PHI breaches involved paper and film. 65 hospitals had paper/film data breaches from 2009 to 2016. Nevertheless, only a small number of patients were affected by this type of breaches. Hospitals did not experience many malware or ransomware attacks on network servers in the period studied, but they had the most severe and highest number of stolen records. The second most common problem area involved PHI stored in mediums other than paper or film like laptops, desktops, email, network servers and EHRs. Fifty six hospitals reported this type of breaches. The third most common problem area involved laptops as reported by 51 hospitals.

The major causes of breaches are theft incidents (reported by 112 hospitals), unauthorized access or disclosure (reported by 54 hospitals) and hacking/IT incidents (reported by 27 hospitals). After performing multivariate logistic regression analysis, the researchers found that different hospitals had varying susceptibility to data breaches. The most susceptible were teaching and pediatric hospitals. Bigger hospitals were also more susceptible to data breaches compared to smaller facilities. Not-for-profit hospitals reported more breaches than investor-owned hospitals.

The researchers explained that although hospitals have the technology and use digitized health data to satisfy the Meaningful Use requirements, they were not really focused on data security. Only 5% of the hospitals’ IT budgets were spent on security. If they want to prevent data breaches, they need to spend more for data security especially in the area of paper/films to reduce theft and unauthorized access.

Other suggestions of the researchers for reducing data breaches include:

Conducting regular audits to monitor who are accessing PHI

Using biometric measures to limit unauthorized access

Using 2-factor authentication on user accounts

Limiting number of employees allowed access to PHI to complete work duties